Network Working Group C. Adams
Request for Comments: 2144 Entrust Technologies
Category: Informational May 1997
The CAST-128 Encryption Algorithm
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
There is a need in the Internet community for an unencumbered
encryption algorithm with a range of key sizes that can provide
security for a variety of cryptographic applications and protocols.
This document describes an existing algorithm that can be used to
satisfy this requirement. Included are a description of the cipher
and the key scheduling algorithm (Section 2), the s-boxes (Appendix
A), and a set of test vectors (Appendix B).
TABLE OF CONTENTS
STATUS OF THIS MEMO.............................................1
ABSTRACT........................................................11. INTRODUCTION.................................................12. DESCRIPTION OF ALGORITHM.....................................23. INTELLECTUAL PROPERTY CONSIDERATIONS.........................84. SECURITY CONSIDERATIONS......................................85. REFERENCES...................................................86. AUTHOR'S ADDRESS.............................................8
APPENDICES
A. S-BOXES......................................................9B. TEST VECTORS................................................151. Introduction
This document describes the CAST-128 encryption algorithm, a DES-like
Substitution-Permutation Network (SPN) cryptosystem which appears to
have good resistance to differential cryptanalysis, linear
cryptanalysis, and related-key cryptanalysis. This cipher also
possesses a number of other desirable cryptographic properties,
including avalanche, Strict Avalanche Criterion (SAC), Bit
Independence Criterion (BIC), no complementation property, and an
absence of weak and semi-weak keys. It thus appears to be a good
Adams Informational [Page 1]

RFC 2144 CAST-128 Encryption Algorithms May 1997
candidate for general-purpose use throughout the Internet community
wherever a cryptographically-strong, freely-available encryption
algorithm is required.
Adams [Adams] discusses the CAST design procedure in some detail;
analyses can also be obtained on-line (see, for example, [Web1] or
[Web2]).
2. Description of Algorithm
CAST-128 belongs to the class of encryption algorithms known as
Feistel ciphers; overall operation is thus similar to the Data
Encryption Standard (DES). The full encryption algorithm is given in
the following four steps.
INPUT: plaintext m1...m64; key K = k1...k128.
OUTPUT: ciphertext c1...c64.
1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K
(see Sections 2.1 and 2.4).
2. (L0,R0) <-- (m1...m64). (Split the plaintext into left and
right 32-bit halves L0 = m1...m32 and R0 = m33...m64.)
3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
Li = Ri-1;
Ri = Li-1 ^ f(Ri-1,Kmi,Kri), where f is defined in Section 2.2
(f is of Type 1, Type 2, or Type 3, depending on i).
4. c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and
concatenate to form the ciphertext.)
Decryption is identical to the encryption algorithm given above,
except that the rounds (and therefore the subkey pairs) are used in
reverse order to compute (L0,R0) from (R16,L16).
See Appendix B for test vectors which can be used to verify
correctness of an implementation of this algorithm.
2.1. Pairs of Round Keys
CAST-128 uses a pair of subkeys per round: a 32-bit quantity Km is
used as a "masking" key and a 5-bit quantity Kr is used as a
"rotation" key.
Adams Informational [Page 2]

RFC 2144 CAST-128 Encryption Algorithms May 19972.5. Variable Keysize
The CAST-128 encryption algorithm has been designed to allow a key
size that can vary from 40 bits to 128 bits, in 8-bit increments
(that is, the allowable key sizes are 40, 48, 56, 64, ..., 112, 120,
and 128 bits. For variable keysize operation, the specification is
as follows:
1) For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64,
72, and 80 bits), the algorithm is exactly as specified but uses
12 rounds instead of 16;
2) For key sizes greater than 80 bits, the algorithm uses the full 16
rounds;
3) For key sizes less than 128 bits, the key is padded with zero
bytes (in the rightmost, or least significant, positions) out to
128 bits (since the CAST-128 key schedule assumes an input key of
128 bits).
Note that although CAST-128 can support all 12 key sizes listed
above, 40 bits, 64 bits, 80 bits, and 128 bits are the sizes that
find utility in typical environments. Therefore, it will likely be
sufficient for most implementations to support some subset of only
these four sizes.
In order to avoid confusion when variable keysize operation is used,
the name CAST-128 is to be considered synonymous with the name CAST5;
this allows a keysize to be appended without ambiguity. Thus, for
example, CAST-128 with a 40-bit key is to be referred to as CAST5-40;
where a 128-bit key is explicitly intended, the name CAST5-128 should
be used.
2.6. CAST5 Object Identifiers
For those who may be using CAST in algorithm negotiation within a
protocol, or in any other context which may require the use of OBJECT
IDENTIFIERs, the following OIDs have been defined.
algorithms OBJECT IDENTIFIER ::=
{ iso(1) memberBody(2) usa(840) nt(113533) nsn(7) algorithms(66) }
Adams Informational [Page 6]

RFC 2144 CAST-128 Encryption Algorithms May 19972.7. Discussion
CAST-128 is a 12- or 16-round Feistel cipher that has a blocksize of
64 bits and a keysize of up to 128 bits; it uses rotation to provide
intrinsic immunity to linear and differential attacks; it uses a
mixture of XOR, addition and subtraction (modulo 2**32) in the round
function; and it uses three variations of the round function itself
throughout the cipher. Finally, the 8x32 s-boxes used in the round
function each have a minimum nonlinearity of 74 and a maximum entry
of 2 in the difference distribution table.
This cipher appears to have cryptographic strength in accordance with
its keysize (128 bits) and has very good encryption / decryption
performance: 3.3 MBytes/sec on a 150 MHz Pentium processor.
3. Intellectual Property Considerations
The CAST-128 cipher described in this document is available worldwide
on a royalty-free basis for commercial and non-commercial uses.
4. Security Considerations
This entire memo is about security since it describes an algorithm
which is specifically intended for cryptographic purposes.
5. References
[Adams] Adams, C., "Constructing Symmetric Ciphers using the CAST
Design Procedure", Designs, Codes, and Cryptography (to appear).
[Web1] "Constructing Symmetric Ciphers using the CAST Design
Procedure" (identical to [Adams] but available on-line) and "CAST
Design Procedure Addendum", http://www.entrust.com/library.htm.
[Web2] "CAST Encryption Algorithm Related Publications",
http://adonis.ee.queensu.ca:8000/cast/cast.html.
6. Author's Address
Carlisle Adams
Entrust Technologies
750 Heron Road,
Ottawa, Canada, K1V 1A7
E-mail: cadams@entrust.com
Phone: +1.613.763.9008
Adams Informational [Page 8]